Re: MondoSearch show the source of all files

From: Orp 664 (orp644at_private)
Date: Sat Oct 19 2002 - 01:10:44 PDT

Next message: Måns Nilsson: "Re: Full zone information disclosure on top level domain name servers"

Previous message: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"
Maybe in reply to: thefastkid: "MondoSearch show the source of all files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <20021010180935.14148.qmailat_private> >Received: (qmail 22343 invoked from network); 10 Oct 2002 18:54:28 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 10 Oct 2002 18:54:28 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id E32B88F2D4; Thu, 10 Oct 2002 11:59:02 -0600 (MDT) >Mailing-List: contact bugtraq-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraqat_private> >List-Help: <mailto:bugtraq-helpat_private> >List-Unsubscribe: <mailto:bugtraq-unsubscribeat_private> >List-Subscribe: <mailto:bugtraq-subscribeat_private> >Delivered-To: mailing list bugtraqat_private >Delivered-To: moderator for bugtraqat_private >Received: (qmail 22655 invoked from network); 10 Oct 2002 18:05:58 -0000 >Date: 10 Oct 2002 18:09:35 -0000 >Message-ID: <20021010180935.14148.qmailat_private> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: thefastkid <thefastkidat_private> >To: bugtraqat_private >Subject: MondoSearch show the source of all files > > Although the Mondosoft was not notified prior to the posting, Mondosoft has reacted quickly and have remedied the situation within 24 hours by which time all Mondosoft customers where notified. See the following: Secure your site without updating: http://www.mondosoft.com/security- info.asp Obtaining an update: http://www.mondosoft.com/security-update.asp > >MondoSearch show the source of all files >-------------------------------------------- > >Affected Program: MondoSearch 4.4 >(possibly earlier versions too, but not tested) >Vendor: http://www.mondosoft.com >Vendor Status: not informed yet >Discovery Date: 10 oct 2002 > >Problem >------- >You can see the source of the files, who are in the same >directory and subdirectories > > >Example >------- >http://www.foo/cgi-bin2/MsmMask.exe?mask=/ >foo.asp ..to see the source of foo.asp in the root dir > > >Solutions >--------- >* The program have to check if is real .cfg file >

Next message: Måns Nilsson: "Re: Full zone information disclosure on top level domain name servers"
Previous message: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"
Maybe in reply to: thefastkid: "MondoSearch show the source of all files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 13:47:29 PDT